OpenPGP - Advanced Settings

e-ignite:  Communicate Securely

Here are some helpful settings for OpenPGP Encryption. These are more advanced settings (the setup instructions are aimed at people just starting with OpenPGP from scratch).

Using OpenPGP Without a Passphrase
Automatically Sign and/or Encrypt Emails

Using OpenPGP Without a Passphrase
It is possible to use OpenPGP without using a passphrase.  This has some advantages - primarily convenience. You don't need to type your password to encrypt, decrypt or sign email, so essentially the encryption process runs "silently" in the background. However, it has a major disadvantage: Security.  The mail is then only as secure as your system, so if you are going to do this, I'd recommend that you place your mail profile and your gpg keys in an encrypted directory.

Using an existing key
To activate this setting using an existing key, you will need to edit it using the command line. I'd recommend taking this step first to configure the command line.
Open the command prompt by hitting START > RUN > cmd
Type "gpg --edit-key [existing key ID]"
Type "passwd"
Enter your current passphrase and hit ENTER
Leave the next prompt blank and press ENTER
Press ENTER again
Type "save"
Exit the command prompt
Open Thunderbird, go to OpenPGP > PREFERENCES
Under the "basic" tab, select the box "No Passphrase for User" then hit OK.

Creating a New Key
Open Thunderbird and select OpenPGP > KEY MANAGEMENT > GENERATE > NEW KEY PAIR
Select all your options and check the box marked "No Passphrase" (I'd also recommend that you remove the "No Password" comment in the line above)
Generate the key (follow on-screen prompts)
Under the "basic" tab, select the box "No Passphrase for User" then hit OK.

Configure encryption and signing without a password

That's it! You can now encrypt, sign and decrypt mail without having to type your passphrase in each time.  Please remember however that you have significantly reduced the security and if your system (or hard disk) was compromised then anyone will be able to read previously encrypted mail, or send mail posing as you. 


Automatically Sign and/or Encrypt Emails
In Thunderbird / Enigmail, it is possible to automatically sign and/or encrypt your email. This can be done in a couple of different ways:

Sign and/or Encrypt All Mail
To sign and/or encrypt all emails that you send, open Thunderbird, select TOOLS > ACCOUNT SETTINGS and highlight the email account that you want to sign and/or encrypt mail from.


On the right of that screen, there are several checkboxes.

To sign all outgoing emails, mark the following checkboxes:
"Sign non-encrypted messages by default"
"Sign encrypted messages by default"

To encrypt all outgoing emails, mark the following checkbox:
"Encrypt messages by default"

Set default behaviour

Automatically Sign / Encrypt Mail to Specific Senders
This is a very useful setting if only some of your contacts use OpenPGP Encryptions. To sign and/or encrypt mail by default to specified senders, you have to use "Per-Recepient Rules".  To access these, open Thunderbird and go to OpenPGP > EDIT PER-RECEPIENT RULES. Click ADD

Enter the email addresses in the box marked "Set OpenPGP Rules For" (this could be the email address of all the contacts that you know who use OpenPGP, one person, or even a group of people who use PGP/MIME or Inline PGP)

Under "Action" you can select your contact's OpenPGP key, or if you have a list of contacts, just select "Continue with next rule for matching address" (easiest to set up)

You can then select whether to sign, encrypt or both, and the method of encryption used.

Click for full image

These settings allow the encryption and/or signing process to be fully automated.  All you have to do is type your password when you send an email and the rest is done for you.  It is possible to combine this automation with the "no passphrase" option described above for the ultimate in ease-of-use, but I want to stress again the security disadvantages this causes.

Copyright | e-ignite is powered by | About e-ignite